We have discovered that a user-mode callback invoked by the win32k!fnHkINLPMOUSEHOOKSTRUCTEX function (via KeUserModeCallback) leads to the disclosure of uninitialized stack memory to user-mode clients, due to compiler-introduced structure padding. The vulnerability affects Windows 7 64-bit; other versions of Windows have not been tested.

The act of copying uninitialized kernel memory has been detected under a number of different stack traces. One example is shown below:

Where 00 denote bytes which are properly initialized, while ff indicate uninitialized values copied back to user-mode. As shown above, there are 8 bytes leaked at offsets 0x3c-0x3f and 0x4c-4f. We have determined that these bytes originally come from a smaller structure of size 0x28, which is passed down to win32k!fnHkINLPMOUSEHOOKSTRUCTEX through the 3rd argument, and copied into offset 0x28 of the overall memory area passed to ring-3. More specifically, we have found that the nested structure is most likely of type MOUSEHOOKSTRUCTEX, and the uninitialized bytes correspond to the 4 bytes of padding between the wHitTestCode and dwExtraInfo fields, and to 4 bytes at the end of the structure, to align it to an 8-byte boundary of 40 (0x28) bytes.